Re: CERT Advisory on malicious scripts

This WebDNA talk-list message is from

2000

It keeps the original formatting. numero = 26993
interpreted = N
texte = >CERT has released an advisory regarding web based systems, such as>message boards, and their ability to include malicious scripts. Does>anyone have any quick method for recognizing mailcious code from form>entries processed by webCat?The simplest method to prevent this problem is to strip the < character from your form values using a special db with convertchars to convert it to nothing. This effectively prevents people from creating HTML tags.If you need to allow them to create HTML tags, then you will have to do more work:Create a db that lists any tags you will not allow, and look for each of those tags in every form field (not just the user-editable fields as you might think), then post an error message saying something like The